CVE-2026-54431

Source
https://cve.org/CVERecord?id=CVE-2026-54431
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54431.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54431
Downstream
Published
2026-07-02T10:30:57.655Z
Modified
2026-07-15T15:53:47.873655Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Data Validation in liboauth2
Details

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.

This issue was fixed in version 2.3.0

Database specific
{
    "cwe_ids": [
        "CWE-358"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54431.json",
    "cna_assigner": "CERT-PL"
}
References

Affected packages

Git / github.com/openidc/liboauth2

Affected ranges

Type
GIT
Repo
https://github.com/openidc/liboauth2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.3.0
v1.4.0
v1.4.0.1
v1.4.1
v1.4.2
v1.4.2.1
v1.4.3
v1.4.3.1
v1.4.3.2
v1.4.4
v1.4.4.1
v1.4.4.2
v1.4.5
v1.4.5.1
v1.4.5.2
v1.4.5.3
v1.4.5.4
v1.4.5.5
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "83611846850022088915769138665119651836",
            "length": 1637.0
        },
        "deprecated": false,
        "id": "CVE-2026-54431-2939a05d",
        "target": {
            "function": "_oauth2_dpop_parse_and_validate",
            "file": "src/dpop.c"
        }
    },
    {
        "source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "23151308740223822434004474857488192091",
            "length": 1398.0
        },
        "deprecated": false,
        "id": "CVE-2026-54431-c67738d8",
        "target": {
            "function": "oauth2_check_oauth2_suite",
            "file": "test/check_oauth2.c"
        }
    },
    {
        "source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "67541579385498241229689638919352073542",
                "71105923710531816751393950734704532798",
                "139961722963137673956985017719948636216",
                "127700674184590680035856868189802761110",
                "51097996429359865857972172438617856776",
                "132157232250875614060598125185693908018",
                "156144776036564664485731944246208262585"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-54431-e2895ebe",
        "target": {
            "file": "src/dpop.c"
        }
    },
    {
        "source": "https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "170549969331734292478327281830221556824",
                "268460145044189232012915006416416909219",
                "124407356090368701310767382921407058748",
                "229014875081080440884533028195834763880",
                "203791388306551613751089239515025163376",
                "311200433798077705135285511528313885251",
                "60674617071991362239702694399017038991",
                "170690881604179245514294911864901380586"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-54431-e3eb2821",
        "target": {
            "file": "test/check_oauth2.c"
        }
    }
]
vanir_signatures_modified
"2026-07-15T15:53:47Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54431.json"